Win2K Pro provides effective client security

Windows 2000 Professional offers several new security features that are great for stand-alone computers. Find out how EFS, IPSec, and smart cards can help better protect your workstations.

The new security features in Windows 2000 Server are well known: the use of Kerberos authentication, the control of network objects through Active Directory, and the inclusion of certificate services. But what about the desktop itself? Does Windows 2000 Professional have security features that make it worth upgrading end-user machines as well? And, if you’re not on a network but simply using Windows on a laptop, do you need to upgrade your stand-alone machine?

In a word—yes. Windows 2000 Professional includes a number of important and useful security features that are not tied to network use. If you have local data that is confidential, or if you need secure communications over the Internet, then Windows 2000 Professional may be for you.

Encrypting File System
The local security feature that is getting the most press is the Encrypting File System, or EFS. The ability to encrypt files on a hard drive has been around for years as an add-on product from companies such as Symantec. For the first time, Microsoft has included this capability in an operating system.

EFS couldn’t be easier to use. Simply right-click on the file or folder you want encrypted, choose Properties, and then on the General tab click Advanced. In the resulting dialog box, check Encrypt contents to secure data (see Figure A).

Figure A
The Advanced Attributes settings

Now any file stored in that folder will be encrypted when saved and decrypted when opened. The encryption uses 128-bit public-key encryption on the file and then encrypts the key as well. If the file (or even the entire laptop) is stolen, it cannot be read without proper logon to the operating system.

There is a way around EFS, however. A separate recovery key is automatically created when you use EFS. This enables administrators to access the data without knowing the user’s system password. As an extra precaution, you should back up your recovery key to another location, such as a floppy disk, and then remove the recovery key from the computer.

You’ve encrypted your files using EFS, but then it hits you: What happens when you send that file, or anything else, over the Internet? Enter IPSec.

IPSec (IP Security) is a set of protocols that encrypts data sent between two computers over an unsecured network, such as the Internet. The OS applies the encryption at the network layer, so the encryption doesn’t affect the applications that are using it. Each IP packet is encrypted before it hits the wire and then decrypted at the other end, making the data unreadable while in transit.

IPSec ensures that no one can modify your data, or even view it, on its way across the network. This means that your IP address is also hidden during transit. IPSec can be configured to authenticate you based on your Kerberos login, on a digital certificate, or on a user-defined password.

To select an IPSec policy for your workstation, open the Network And Dial-Up Connections window. Select Local Area Connection | File | Properties. From the Local Area Connection Properties dialog box, select Internet Protocol (TCP/IP) and then click Properties. Click the Advanced button and then select the Options tab. Under Optional Settings, select IP Security and then Properties. Figure 2 shows the IP Security dialog box.

Figure 2
IPSec policies can only be set by a member of the Administrators group.

An important point about IPSec is that it is an industry standard. It is used by many vendors as part of their VPN offerings, unlike PPTP, which was predominantly a Microsoft-only tool. It seems that Microsoft now realizes it’s time to incorporate tools that are standard in other parts of the industry.

Smart cards
A smart card is a wallet-sized card with an internal computer chip that stores data about the card owner, including the owner’s private key, logon information, and certificates. To use the card, it must be inserted into a card reader attached to the computer, and then a PIN must be entered on-screen. This makes smart cards safer than passwords, because both the card and the PIN must be present for the user to gain access to either the computer or the network. In addition, the same card can be used in multiple locations, thus enabling true portability of security and eliminating the need to transmit things like private keys over the network or through e-mail (from your office machine to your home machine, for example).

New security features a step in the right direction
Windows 2000 Professional contains a number of security improvements and additions that make it a compelling upgrade for anyone concerned about security on his or her workstation. File and folder encryption alone might be justification enough to upgrade for some. The move to the IPSec standard is also welcome news. And for certain users and certain applications, smart cards may provide the required extra level of security. Add in the security features that accrue when using Professional in a Win2000 network environment, and Windows 2000 Professional is a major step forward for Microsoft in the security arena.
What do you think of Windows 2000 Professional’s security features? Are they a vast improvement over Windows NT or only a minor step ahead? Let us know what you think and why. Post a comment or write to Bruce Maples and share your thoughts.

Editor's Picks